Description

With Multi-Factor Authentication adding a second factor of authentication to on-premises and cloud applications is easier than ever. Join this session for an deep technical breakdown of Multi-Factor Authentication and how it works with Active Directory, Active Directory Federation Services (AD FS), and Microsoft Azure Active Directory to enable rapid deployment of multi-factor authentication for a wide range of applications. Multi-Factor Authentication secures access to remote access VPNs, virtual desktops, web applications (OWA and SharePoint), cloud services (Office 365), and custom applications. We show you how.

The Discussion

1) "something only the user knows" (aka password)2) "something only the user has".

Multi-Factor authentication with phone or email ARE NOT effective because communication can be "known" by the service provider. Phone and email are not "something only the user has"

A token-code generated by a Mobile App is better, but the "secret seed" (which is needed for generate token-codes) must be encrypted using a PIN code. This PIN can be seen by a third person while you are typing into your Mobile device.

Hardware tokens are more secure because the "secret seed" is stored in a secure memory, no-one can see this secret key.

Azure Multi-Factor Authentication doesn't use email. It uses a phone or mobile device that the user registers. When they sign in with their username and password, they prove that the registered phone/device is in their possession by answering a phone call, receiving a text message, receiving a push notification to the MFA app registered on the device or using an OTP from the mobile app.

All forms of multi-factor authentication (phone call, text, mobile app, soft token, hardware token, USB token, grid card, smart card, etc.) are more secure than using just a username and password. Using the phone call, two-way text message or push notification to the mobile app are more secure than software or hardware tokens because they are 100% out of band, meaning that the second factor of authentication is completed in a totally separate channel than the first factor of authentication. If a keystroke logger or malware is able to compromise a user's username and password, it is not able (or is much more difficult) to compromise the second factor.

Using the phone/mobile device as the device the user has in their possession is much more convenient to both the end user and IT than hardware (and often software) tokens, and is generally less expensive. The IT department doesn't have to purchase tokens, sync them, distribute them, replace them when lost/broken, etc. and the user doesn't have to carry an extra device with them.